86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a

Analysis

max time kernel
91s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2022, 14:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Size

4.9MB
MD5

34c8b942c4c9803f3602a8d4053e8661
SHA1

4094c93faaa2f86d0a2ca589d5f11e0a49962cb7
SHA256

86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a
SHA512

efec37c5b6fd8bf6dbce0070aa697a84a3b14067470a6944202d24f65651edb370534bd1a9ab2ea29c3ce7110282a699e46c118f9cd5bf6766a40d2b0c23c056
SSDEEP

98304:mW1wJYKogrW22eSuac75jV1rdOaksuLQTzwVB6BHctbrIXtBCUSO:byJYKogrp6Nc9DofQ46IbrIX2

Score

6^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5080 set thread context of 5092	5080	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4948	5080	WerFault.exe	76
4164	5080	WerFault.exe	76
4796	5080	WerFault.exe	76

Checks processor information in registry 2 TTPs 45 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5092	rundll32.exe
5092	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5092	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 5092	5080	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe	91
PID 5080 wrote to memory of 5092	5080	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe	91
PID 5080 wrote to memory of 5092	5080	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe	91
PID 5080 wrote to memory of 5092	5080	86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe	91

C:\Users\Admin\AppData\Local\Temp\86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe
"C:\Users\Admin\AppData\Local\Temp\86b057102ea4d4f703672bbf978ed69db84d679f8c92b2ab7cad7f146547299a.exe"
1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 824
  2⤵
  - Program crash
  PID:4948
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 856
  2⤵
  - Program crash
  PID:4164
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 900
  2⤵
  - Program crash
  PID:4796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5080 -ip 5080
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5080 -ip 5080
1⤵
PID:2084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\84c7bf32-db39-40e7-95b4-e9bdddb0a182.tmp

Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
1KB

MD5
c98cd13ac41bc5b799af39b201cbd563

SHA1
1852d8094a09243a9f3d773d5894fe7d9b89fd74

SHA256
95803291fa5709ba1a31af43108a7c2746f558534d307adc9ab2ad02fc787ecc

SHA512
2f4045c670641d9bdf171de7ebd443ba76646f1fd990bc4046e2b215f8e4e7bba0dd8acbcefbca78bda29aeceff32b60842fd60556801b27cb7dfe3da494fbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rpiidpytrto.tmp

Filesize
3.5MB

MD5
c597ca48af580cb2755914474a787ddf

SHA1
427cdbd19eadb94f1f89b51a7c3647a3ff7d3925

SHA256
8c67a70fe070595fda6ec977af7da0085d40df299f04cdd5669156752fee3f31

SHA512
c41ab851b712c484184934b2dab7015d329ec485b454b645411f69a97ef4a46351fe892f86522abf19c08cf1b7b6a5212954053b8218046cdfab24ef734e47ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-4828.log

Filesize
470B

MD5
27f209a8bfb57ca10cd2a6d4457f0c20

SHA1
48b2cf6bbdc5207c573f23c910a6b48f8438bc8f

SHA256
0f035931511a1d11c2da08546aed273d58fea487cb98b68fced70f1fd86f82ec

SHA512
1bf063f27e134fd77588fc39d9594dee01757fe29fa393af410a40ce96e99f8a1f8dbe5df86732d1d81f8155a123ddbace5df21f88ab1bfffe427a0390030b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\cfe41bad-7702-44b9-a75b-0d441f0b4c89.tmp

Filesize
19KB

MD5
613b4d43b64a6d9630f389c4e12295b4

SHA1
06bef00ff378997f9b05d77c78563e01fb713e2d

SHA256
bbe5def034f4c1e6c16beb775ecbbbbe5e6f1aa8100639e87997c9f656a002c6

SHA512
3d48d3dbd49750d6154a3ecde4f60b7ba0cdfbf4781357971102222707ff9a6ee34f5cdbbb64111e3b43bf3946c1fdfb5024d1bcf710e13a850b257c61e5a365

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1289b69-6512-49b4-94c5-178649e284db.tmp

Filesize
22KB

MD5
99e972f6d63ded5a9f3d6a06ff481bec

SHA1
b3c98ed6975c649454bce3d88806ad1883e22327

SHA256
d6f11c606729d553e9c9b3d0db9e5d51567ea969bedd98008cce7b9415a17490

SHA512
ecc322a906b25ea835fdfcb528fb0bc11ade80112b9d0783f0c02100a83368b718c45ca5bdbe38c106e3559db7723dc2fdf38e2bf473fb461ddade999d02f416

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC515.tmp

Filesize
62KB

MD5
2e8f497235815362c3d2fe5f4d56010c

SHA1
c6c9c84fbdb7b85261ba818adbc18cab8158d692

SHA256
4420111c2dcd4928407eb5dec0c7270d382375392635959c816faf8b50cb95e3

SHA512
046993e0cbc526bda57a098cbe3902cc1ee81f90540fadd9004a2ac800b6f37703222986de994a07c175555c51cb641e2f71e9c560b6f174fe039b8dc1217133

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
697B

MD5
fe4f6a24e5ab9d2d90051411307cf3a8

SHA1
a65b12b4d8e225eda13862b7ed6f30f56abb9569

SHA256
5ffbef5b65d7969e912ccdad478d225a1927480b6da0f6fa30156ca5eddb7ef5

SHA512
6e6159b5b13f21a2c13cffd92496d384aad7871fc2af079870b12068f9b646a785841b486c94993076cd25638ec8a0abb4aee5451d9602f05469e220f0747c0d

Download Submit
memory/5080-140-0x0000000006C70000-0x0000000006DB0000-memory.dmp

Filesize
1.2MB

Download
memory/5080-132-0x00000000034D6000-0x000000000397F000-memory.dmp

Filesize
4.7MB

Download
memory/5080-142-0x0000000006C70000-0x0000000006DB0000-memory.dmp

Filesize
1.2MB

Download
memory/5080-143-0x0000000006C70000-0x0000000006DB0000-memory.dmp

Filesize
1.2MB

Download
memory/5080-144-0x0000000006C70000-0x0000000006DB0000-memory.dmp

Filesize
1.2MB

Download
memory/5080-145-0x0000000006C70000-0x0000000006DB0000-memory.dmp

Filesize
1.2MB

Download
memory/5080-164-0x0000000006100000-0x0000000006C69000-memory.dmp

Filesize
11.4MB

Download
memory/5080-146-0x0000000006C70000-0x0000000006DB0000-memory.dmp

Filesize
1.2MB

Download
memory/5080-163-0x0000000000400000-0x00000000030D2000-memory.dmp

Filesize
44.8MB

Download
memory/5080-133-0x0000000005320000-0x0000000005975000-memory.dmp

Filesize
6.3MB

Download
memory/5080-134-0x0000000000400000-0x00000000030D2000-memory.dmp

Filesize
44.8MB

Download
memory/5080-135-0x0000000000400000-0x00000000030D2000-memory.dmp

Filesize
44.8MB

Download
memory/5080-136-0x0000000006100000-0x0000000006C69000-memory.dmp

Filesize
11.4MB

Download
memory/5080-141-0x0000000006C70000-0x0000000006DB0000-memory.dmp

Filesize
1.2MB

Download
memory/5080-139-0x0000000006C70000-0x0000000006DB0000-memory.dmp

Filesize
1.2MB

Download
memory/5080-138-0x0000000006100000-0x0000000006C69000-memory.dmp

Filesize
11.4MB

Download
memory/5080-137-0x0000000006100000-0x0000000006C69000-memory.dmp

Filesize
11.4MB

Download
memory/5092-151-0x00000000039F0000-0x0000000003B30000-memory.dmp

Filesize
1.2MB

Download
memory/5092-152-0x0000000002DC0000-0x0000000003929000-memory.dmp

Filesize
11.4MB

Download
memory/5092-150-0x00000000039F0000-0x0000000003B30000-memory.dmp

Filesize
1.2MB

Download
memory/5092-148-0x0000000002DC0000-0x0000000003929000-memory.dmp

Filesize
11.4MB

Download
memory/5092-162-0x00000000039F0000-0x0000000003B30000-memory.dmp

Filesize
1.2MB

Download
memory/5092-161-0x00000000039F0000-0x0000000003B30000-memory.dmp

Filesize
1.2MB

Download
memory/5092-149-0x0000000000800000-0x000000000124A000-memory.dmp

Filesize
10.3MB

Download
memory/5092-165-0x0000000002DC0000-0x0000000003929000-memory.dmp

Filesize
11.4MB

Download